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The Working of AX — an Automaton extractor from C code 

Included in this note are three small examples that illustrate the model extraction method from ANSI C 
code with the tool Ax. 
We discuss: 

• A simple implementation of the alternating bit protocol in ANSI C. 

• Two different implementations of a standard quicksort algorithm. The first implementation is the 
version printed verbatim in Keniighan & Pike's book "The Practice of Programming" (Addison- 
Wesley, 1999) on page 33. The second implementation is the same algorithm rewritten as a non- 
recursive procedure. 

Example 1: Alternating bit protocol. 

The source text for this program, written in standard ANSI C, is as follows. The line numbers in the left 
margin were added for easier reference. 

1 # include <stdio.h> 
2 

3 /* 

4 * C version of alternating bit protocol 

5 * to show that the code need not be 

6 * structured as a state machine, as 

7 * with the 9 format 

8 * GJH 3/6/2000 

9 */ 

10 typedef char uchar; 
11 

12 typedef struct Buffer { 

13 int size; /* current size of buffer ♦/ 

14 uchar *cont; /* buffer contents */ 

15 > Buffer; 
16 

17 extern int get_data (Buffer *) ; 

18 extern int put_data (Buffer *) ; 

19 

20 int 

21 abp_sender (int M) 

22 ( Buffer Bufinp, Buf out ; 



23 short s, S-0, cnt-0 ; 
24 

25 Buf out. size - 1; 

26 Buf out. con t • "M"; 

27 while <cnt++ < N) 

28 if ( ! get_data ( 4Buf out ) ) 

29 break ; 

30 send ( fcBuf out , 3) ; 

31 recv(4Bufinp, £s) ; 

32 if (*Bufinp — 'A 1 ££ s — S) 

33 S - 1 - S; 

34 > 

35 return cnt; 

36 ) 
37 



38 int 

39 abpv receiver (void) 

40 f "Buffer Bufinp, Buf out ; 



41 short s, 8-0, cnt-0; 

42 * 

43 Buf out. size « 1; 

44 Bufout.cont » n A n ; 

45 while (recv(*Buf inp, 6s)) 
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46 < cnt++; 

47 sand (fiBuf out, a) ; 

48 if (• — S) 

49 { if (»put_data(£Bufinp) ) 

50 braak ; 

51 E - 1 - E; 

52 } ) 



53 return ent; 

54 ) 

This C program defines the behavior of a sender and of a receiver process. To run the protocol one can 
instantiate two independent processes (asynchronous threads of execution): one process to execute the 
sender's code and one process to execute the receiver's code. Independently of the part of the 
implementation shown here, one then provides two external routines, ga t_data ( ) obtains the data to be 
transmitted at the sender side, and put_data () delivers data to its ultimate destination at the receiver side. 
The details of the code are not of primary interest here, but the process of converting it automatically into 
an abstract model, guided by a user defined conversion (lookup) table. 

Just using this program as input, and without a first version of a lookup table just yet, we can extract a first 
version of a verification model in Promela. The tool *ax' will generate a default lookup table for us as well, 
that we can then edit to adjust the abstraction that is applied. 

We extract the two parts of the model separately: a part for the receiver and a part for the sender. The two 
parts are combined in a hand-written wrapper that we place around the code, as shown below. 
The first version of the two parts of the model is generated as follows with the commands: 

$ ax -a abp_racaivar abp.c 
$ ax -a abp_sandar abp.c 

The two parts of the model are extracted into the files "abp_racaivar . spn" and w abp_sandar . spn" , 
and the two default lookup tables are written into the files n abp_racaivar . lut* and 
w abp_sandar . lut" . The contents of these two files after this first pass is as follows: 

1. Contanta of fila abp_ racaivar . lut : 



# Ax Lookup Tabla abp_racaivar . lut 



D: 


Buffar Buf inp, Buf out; 


hida 


D: 


ahort • , I»0 , cnt*0 ; 


hida 


A: 


Bufout.aira-1 


hida 


A: 


Buf out. con t- "A" 


hida 


C: 


racv(fi(Bufinp) , fi(s)) 


trua 


C: 


!racv(6(Bufinp) ,&(a)) 


trua 


cnt++ 


print 


F: 


•and(MBufov ^j , a) 


print 


C: 


(a— t) 


trua 


C: 


! (a— «) 


trua 


C: 


( t putjdata (€ (Bufinp) ) ) 


trua 


C: 


! (!put data <£ (Bufinp))) 


trua 


A: 


B-(l-l7 


hida 


R: 


r a turn 


print 


2. 


Contanta of tha fila abp_ 


sandar . lut 


# Ax Lookup Tabla abp sandar 


.lut 


D: 


Buffar Buf .in? . Buf out ; 


hida 


D: 


ahort s,S«G,cnt«0; 


hida 


A: 


Buf out . siza*l 


hida 


A: 


Buf out . conv-^M" 


hida 


C: 


(cnt++<N) 


trua 


C: 


! (cnt++<N) 


trua 


C: 


( ! gat_data (4 (Buf out) ) ) 


trua 
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C : !(! get_data ( £ (Buf out ) ) ) true 
F: stnd(£(Bufout) ,S) print 
F: recv(4(Bufinp> ,4(s) ) print 
C: ((*Bufinp«- , A , )44(s— S) ) true 
C: ! ((*Bufinp= • A' ) 44 <s—S) ) true 
A: S-(l-S) hid« 
R: return print 

Ax assigns default mappings to each basic statement that it encounters. Where the context is unambiguous, 
it will classify the statements as either a declaration (prefix "D:"), a condition (prefix "C:"), an assignment 
(prefix "A:"), a function call (prefix "F:"), a return statement (prefix "R:"). The prefix is just optional 
decoration of the lookup table entries. If it cannot be determined from context (as in the case of the 
"cnt++" statements) it is omitted. All prefixes could be omitted without loss of functionality. 
The default mappings used here are "true" for conditions (and their negations), "print" for function calls 
and return statements, "hide" for declarations and assignments. The defaults are just meant as a starting 
point for the definition of a proper abstraction by the user. To do so, we edit these default lookup tables to 
make them reflect more accurately what aspect of the implementation we are interested in and what we 
want to abstract from. Sample revised tables that capture a possible abstraction are as follows. 

Contents of the file abp_receiver . lut : 

# Ax Lookup Table abp_receiver . lut 
D: Buffer Buf inp , Buf out ; hid* 

D: short «,I»0,cnt»0; byte I, s 

C: recv(4(Bufinp) ,4(s) ) rq?s 

C: !recv(4(Bufinp) ,4<s) ) false 

cnt++ hide 

C: (•«-!) keep 

C: !(•—*) keep 

C: <!put_data(4(Bufinp))) false 

C : ! ( ! put_data ( 4 (Buf inp) ) ) print 

A: Buf out . size- 1 hide 

A: Bufout.cont*"A N hide 

A: E-(l-I) keep 

F: send (4 (Buf out) ,s) sq!s 

R: return hide 

Contents of the file abp_sender . lut : 

# Ax Lookup Table abp_sender . lut 
D: Buffer Buf inp, Buf out; hide 

D: short «,S-0,cnt«0; byte s, S 

C: (cnt++<N) true 

C: ! (cnt++<N) false 

C: (!get_data(4(Bufout))) false 

C : * ( * ge t_dat* ( 4 (Buf out ) ) ) print 

7: send (47Buf out) ,3) rq!S 

C : ( (*Buf inp— • A' ) 44 3) ) s— S 

C: ! ((*Bufinp— 'A')44(s— S))else 

A: Buf out. size- 1 hide 

A: Bufout.cont«"M" hide 

A: S-(l-S) keep 

F: recv(4(Bufinp) ,4(s) ) sq?s 

R: return hide 

By repeating the two commands from above with the new, now explicitly defined lookup tables, we 
generate the final version of the verification models. 

$ ax -a abp_receiver abp.c 
$ ax -a abp_sender abp.c 



-28- 



Holzmann 17 

This gives the following result. The lookup table files are not modified by Ax in this second pass, since 
they completely cover all basic statements used in the source. In the two displays below we've made some 
cosmetic adjustments to the printed form, e.g., by indenting some comments. The two files are machine 
generated by Ax. 

Contents of fila abp_racaivar . spn : 

activa proctypa abp_racaivar ( ) 
{ /* 40: D: Buffer Buf inp, Bufout; */ 

byta E, a; /* 41: D: ahort a,E»0,cnt«0; */ 

/♦ 43: A: Buf out . aiza*l */ 

/* 44: A: Bufout . cont« M A" */ 

LI: 
do 

:: rq?a; /* C: racv(6 (Buf inp) , 6 (a) ) */ 
/* cnt++ */ 

aq!a; /* 47: F: sand (fi (Buf out) , «) +/ 
if 

: (a— 8) ; 

printfCC: !(!put data (fi (Buf inp) )) \n") ; 
B-(l-B) ; /* lina~51 */ 
i (a— S> ; 

fi; 

od; 

/* 53: R: return */ 

) 

Con tan t a of fila abp_aandax . apn : 

activa proctypa abp_aandar() 
{ /* 22: D: Buffar Buf inp , Buf out ; */ 

byta a, 3; /* 23: D: ahort a,S»0,cnt«0; */ 

/* 25: A: Buf out . aixa-1 */ 

/* 26: A: Bufout. con t-^M" */ 

LO: 
do 

printfCC: !( !gat_data(fi (Bufout) )) \n M ) ; 
rq!S; /* 30: 1 : ~iand(fi (Bufout) , S) */ 
aq?a; /* 31: F: racvtfi (Buf inp) , & (a) ) */ 
if 

:: s— 3; /♦ C: ( (*Buf inp— • A* ) fifi (a—S) ) ♦/ 

S«(l-S) ; /♦ lina 33 ♦/ 
:: alaa; /* C: ! ( (*Buf inp— ' A* ) fifi (a— S) ) ♦/ 

fi; 

od; 

/* 35: R: raturn ♦/ 

) 

If we edit the source file abp.c, we can reuse the lookup tables from above to re-extract abstract models 
from the modified C code. If new statements were introduced, the model extractor will add default entries 
for them in the lookup table and warn the user about their presence, so that they can be adjusted to conform 
to the abstraction focus that was chosen. If statements were omitted, the model extractor will comment 
them out of the lookup table by placing a comment symbol (#) at the start of these entries. For even 
significant revisions of the source, taking days for the programmer to make, an update of the lookup tables 
to bring them back in sync with the new version of the code typically takes no more than a few minutes of 
user time. (The alternative of rebuilding a complete verification model for the new source by hand would 
more likely take days - approaching the investment of time that the programmer made.) 

We can inspect the behavior of the abstracted implementation with the logic model checker Spin. First we 
join the two parts of the model in a simple Promela wrapper that defines minimal context for the two 
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processes. The wrapper below defines two abstract channels via which the processes can exchange their 
messages, and includes the text of the two processes. The text of this wrapper, stored in a file called abp, 

is: 

chan rq « {!] of { byte ); 
chan sq * [1] of { byte ) ; 

# include "abp_receiver . spn" 
♦include "abp_sender . spn" 

Now we can run spin on this file. First, we can look at the first 20 steps in a simulation run, looking only at 
message exchanges: 

$ spin -c abp I sed 20q 
proc 0 ■ abp_receiver 
proc 1 ■ abp__sender 

C: ! (!get data (6 (Buf out) ) ) 
q\p 0 1 
1 rq!0 

1 rq?0 

2 sq!0 

2 sq?0 
C: ! (!put_data(6(Bufinp) ) ) 

C:~ (!get data (4(Buf out) )) 
X rq!l " 

1 rq?l 

2 sq!l 

2 sq?l 

C: 9 (!put_data(6(Bufinp))) 

C:~! (!get data (6 (Buf out))) 
1 rq!0 " 

1 rq?0 

2 aq!0 

C: ! (!put_data(£(Bu£inp))) 

This shows the two processes exchanging the sequence numbers and correctly retrieving and depositing 
data during the run. A verification run can be more illuminating, checking the system for possible 
deadlocks, and answering any other logical query that the user can formulate about the operation of the 
system. 

$ spin -a abp 

$ cc -o pan pan.c 

$ pan 

(Spin Version 3.3.10 ~ 6 March 2000) 
♦ Partial Order Reduction 

Full stataspaca search for: 

never- claim - (none specified) 

assertion violations + 
acceptance cycles - (not selected) 

invalid endstates ♦ 

State-vector 36 byte, depth reached 13, errors: 0 
14 states, stored 

2 states, matched 
16 transitions (■ atored+matched) 
0 atomic steps 
hash conflicts: 0 (resolved) 
(max sise 2 A 18 states) 

1.493 memory usage (Mbyte) 
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unreached in proctype abp_raceivar 

(0 of 12 statu) 
unreached in proctype atop_sendar 

(0 of 12 states) 

This verification run proves, for instance, absence of deadlock for the alternating bit protocol. 



Example 2: The Quicksort algorithm. 

The next example serves to show that the model extraction can be applied to arbitrary ANSI C code as 
input, without structuring or style requirements. The code need not be written in a format resembling a 
traditional finite state machine: the model extractor can generate the state machine structure from the 
control flow skeleton of the program for any C program. Model checking for the quicksort algorithm itself 
is not a very fruitful exercise, though, since the algorithm involves no concurrency or process interaction, 
so this is just an example of model extraction, not of model checking. For sequential and deterministic 
algorithms of this type it is generally better to analyze their properties with more conventional techniques. 
Here first is the code from the quicksort algorithm as it appears in a recent textbook (Kemighan & Pike's 
"The Practice of Programming" (Addison- Wesley, 1999), page 33). 

/* swap: interchange v[i] and v[j] */ 
void swap ( in t v[] , int i, int j) 

< 

int tamp; 

temp - v[i] ; 
v(i] - v[j] ; 
v[j] ■ tamp; 

) 

/* quicksort: sort v[0] . .v[n-l] into increasing order */ 

void quicksort (int v[] , int n) 

{ 

int i, last; 

if (n <■ 1) /* nothing to do */ 
return ; 

swap<v, 0, randO % n) ; /* mova pivot */ 
last - 0; /* to v[laft] V 

for (i - 1; i < n; i++> /* partition */ 
if <v[i] < v[0]) 

•wap<v, -M-last, i) ; 

swap(v, 0, last); /* restore pivot */ 
quicksort (v, last); /* recursivaly sort */ 
quicksort (v+last+1 , n-last-1) ; /* each half */ 

} 

We can apply the model extractor to this code, as is, and generate a default lookup table that we can then 
edit as before. The default lookup table that is generated for the quicksort routine looks as follows. 

Contents of quicksort. lut: 
# Ax Lookup Table quicksort . lut 



D: int i,last; hide 

C: <n<«l) true 

C: ! (n<»l) true 

R: return print 

F: swap<v,0, (rand()%n)) print 
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A: l*«t-0 hid* 

A: i-1 hid* 

C: (i<n) trua 

C: ! (i<n) tru« 

C: <vtij<vt0]) trua 

C: !<v[ij<v(0]) trua 

F: swap <v,++laat, i) print 

i++ print 

F: swap <v,0, last) print 

F: quicksort (v, last) print 



F: quicksort ( ( (v-f last) +1) , ( (n-last) -1) ) print 

Note that the routine is recursive, and in the default lookup table the recursion is mapped away. We can edit 
the lookup table to define the required abstraction, retaining all the functionality from the original program, 
including the recursive calls, but redefined to a smaller domain. 

Con tan ts of ravisad quicksort . lut : 
# Ax Lookup Tabla quicksort . lut 



0: 


int i,last; 


short i, last, taap; 


C: 


(i<n) 


kaap 


C: 


! <i<n) 


kaap 


i++ 


kaap 


C: 


(n<-l) 


(n-a<-l) 


C: 


! <n<-l) 


also 


C: 


(vtiKv(Ol) 


(v[i]<v(a)) 


C: 


! <v[i]<v[0]) 


alsa 


A: 


last-0 


last-a 


A; 


i-1 


i-a+1 


F: 


swap(v,0, <rand()%n)) taap - v(a] ; v[a] - v[(n-fa)/2]; v(<n«-a)/2] - taap 


F: 


swap (v , las t , i) 


last-M>; taap - v[i] ; v(i] - v{last] ; v(last] - taap 


F: 


swap (v,0,last) 


taap - v[a] ; v{a] - v[last] ; v(last] - taap 


F: 


quicksort (v , last) 


run quicksort (a, last) ; _nr — pr — _pid+l 


F: 


quicksort (( (v+last) ♦!) , ((n-last) -1)) run quicksort ( las t+1 , n) ; _nr_pr — _pid+l 


R: 


r a turn 


goto dona 



We repeat the model extraction with the edited table and obtain the following abstract model from the code. 
We extract the model without the proctype enclosure, using the option n -n" instead of the earlier "-a" . 
(Ax has options for generating the models as fully instantiated processes (-a), as uninstantiated process 
declarations (-p) or as process bodies (-n), as used in this case.) 

$ ax -n quicksort qaort.c 

Con tan ts of quicksort . spn : 

short i, last, taap; /* 18: D: int i,l*«t; */ 
if 

:: (n-a<-l); /*C: (n<-l) */ 

goto dona; /* 21: R: rtturn */ 
: : alsa; /♦ C: ! <n<«l) */ 

fi; 

tamp - v[a]; v[a] - v[<n+a)/2]; v[<n+a)/2] - tamp; 

/* 23: 7: swap (v, 0 , (rand () %n) ) */ 
last-a; /* 24: A: last-0 */ 
i-a+1; /« 25: A: i-1 */ 

LO: 
do 

: : (i<n) ; 
if 

:: <v[i]<v[a]) ; /♦ C: <v[i]<v[0]) */ 

last++; taap - v[i] ; v[i] - v[laat] ; v[last] - tamp; 
/* 27: F: swap (v, ++laat , i) */ 
: alsa; /* C: ! <v[i]<v[0]) */ 

fi; 
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i++; 

! (i<n) ; -> braak 

od; 

trap - v[a]; v[a] - v[last] ; v[last] ■ tamp; /* 29: F: swap <v,0, laat) */ 
run quicksort (a, laat) ; _nrj>r «- _pid+l; /* 30: F: quicksort <v, laat) */ 
run quicksort <last+l, n) ; _nr_pr — _j>id+l; 
/* 31: F: quicksort (< (v+last) +1) ,< (n-last) -1) ) ♦/ 
goto dona; /* 31: R: raturn */ 

We now have to define the wrapper that defines the context for the generated model. In the wrapper we can 
pass some data to be sorted to the quicksort process, and check that it was sorted correctly after that process 
completes. For the example we'll use the following wrapper for the quicksort model: 

Contanta of fila 'quick' : 

short v[16] ; 

inlina chackrasult ( ) { 
d stap { 

i"« 0; 
do 

: : i < n-1 -> 

asaart(v[i] <«v[i+l]); 
i++ 

: alsa -> 
braak 

od; 
skip 

> 



proctypa quicksort (short a, n) 
{ atonic { 

print* ("quicksort %d - %d\n", a r n) ; 
fincluda "quicksort. spn" 
dona : skip 

> 

) 

init { 

short i, n; 
if 

: n » 6 /* av<an valua for n */ 

: n ■ 5 /* odd valua for n */ 

: n » 0 /* boundary casa */ 

: n ■ 1 /* boundary casa */ 

fi; 
do 

: : i < n -> i++ ; 
if 

: v[i] - 15 
:: v[i] - 9 
:: v[i] - 4 
: : v[i] - 27 
:: v[i] - 11 
fi; 

: alsa -> 
braak 

od; 

run quicksort (0,n) ; 
^nr_pr ™ _pid+l; 
chackrasult () 

> 
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We seed the model with some random input date. We chose between 0 and 6 numbers, arbitrarily from the 
set 4, 9, 11, 15, and 27 and put them in random order (using non-deterministic choices that are native to the 
modeling language Promela). Then we call the quicksort routine over the range of numbers selected. The 
line n nr_pr «■ _pid+l" in Promela guarantees that the last procedure call (really a process 
instantiation) completes before we continue. The final call to "checkresult <) " will verify that the 
numbers were correctly placed in numerical order, whatever their initial order may have been. 

Example 3: A Non-Recursive Version of Quicksort: 

Although the model extraction is straightforward for the recursive version of the quicksort algorithm, the 
definition of the lookup table requires some thought. It can be much simpler if the original C code is closer 
in nature to the target modeling language (in this case Promela). As an example of this, below is a revised 
version of the quicksort algorithm, functionally equivalent to the original, not relying on recursion. 

Revised qsort.c: 

♦include <stdio.h> 
♦include <stdlib.h> 

♦define MaxI 100000 
♦define MaxD 64 

int debug « 0; 

void 

assert (int e) 
< 

if <!e) 

{ printf ("stack overf low\n"> ; 

exit(l); 

> 

> 

♦define swap<i,j> temp - v[i] ; v[i] - v[ j] ; v[j] ■ temp 
♦define putQ(x,y) assert(Qss < MaxD); from[QinJ - x; \ 

uptotQin] - y; Qin - (Qin+1) %MaxD; Qss++ 
♦define getQO a - fromtQout] ; b - uptotQout] ; Qout - (Qout+1) %MaxD ; Qsz— 

void 

main (void) 

{ int i, n, j, k, last, temp; 

int v[MaxI], from[MaxD] , uptofMaxD] ; 
int Qin-0, Qout«0, Qsx-0, a, b; 

for (n • 0; n < MaxI; n++> 

if (fscanf (stdin, "%d H , 6v[n]) — EOF) 
break; 

if (n «« 0) goto done; 

putQ(0, n-1) ; 
while (Qss > 0) 
( getQO; 

if (b-a <■ 0) 

continue ; 
k * a+rand()%(b-a) ; 
swap (a, k) ; 
last - a; 

for (i - a+1; i <» b; i++) 
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if <v(i] < v[a]) 
{ laat++; 

swap (last, i) ; 

) 



swap (a, last) ; 
putQ<a, last) ; 
putQ(last+l, b) 



) 

dona: 



for (j - 0; j < n; j++) 

print* <"%d\n", v[j]) ; 
•xit(0) ; 

} 

The version shown above is a complete self-contained program, that reads in numbers from the standard 
input, sorts them with the quicksort algorithm, and then prints out the result on standard output. 
The lookup table for the main routine can now be defined as follows, consisting mostly of w kaap" 
mappings that are preserve the text from the source verbatim in the target: 

Con tan ts of main.lut: 

# Ax Lookup Tabla main.lut 

# map into small ar domain: 



D: xnt v[100000] ,from[64] ,upto[64] ; int v[8J , f rom[8] , upto[8] 

F: assart((Qsz<64)) assart ( (Qsz<8) ) 

C: (n<100000) (n<8) 

C: ! (n<100000) ! (n<8) 

A: k«(*+<rand()%(b-a))) k-((a+b)/2) /* datarminixa */ 

A: Qout-((Qout+l)%64) Qout- ( (Qout+1) %8) 

A: Qin-( (Qin+1) %64) Qin- ( <Qin+l) %8) 

# litaral, with syntactic conversion: 



D: int i ,n, j ,k, last, tamp; int j , k, last, tamp; 

F: axit(0) hid* 

R: raturn chackrasult () 

C: (fscanf<fi( dj stdin) , "%d" , 6 <v[n] ) ) — (-1) ) aapty(qin) 

C: ! (fscanf (t(_dj_stdin) ,"%d",«(vCn]) ) — (-1)) qin?k; v[n] - k 
Qax++ Qsx++; assart (Qs«<-n+l) 

Qsx — Q«z — ; assart <Qsx>»0) 

# tha rast is litaral: 

D: int Qin»0 , Qout-0 , Qss«0 , a , b ; kaap 
F: printf <"%d\n" ,v[ j J ) kaap 



(QszX)) kaap 

! <QssX>) kaap 

((b-a)<-0) kaap 

!((b-a)<«0) kaap 

(i<-b) kaap 

! (i<-b) kaap 

(v[il<vCa]) kaap 

»(v[i]<v[a]) kaap 

(j<n) kaap 

! ( j<n) kaap 

(n— 0) kaap 

! (n—0) *aap 
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kMp 






kMp 




vTal svTkl 

v LA J » I* J 


kMp 






kMp 




last"* 


kMp 


A. 


i-(a+l) 


kMp 


A: 


tampan/ [ las t ] 


kMp 


A: 


v[last]*v[il 


kMp 


A: 


v[i] itimp 


kMp 


A: 


v£a]«v[lastj 


kMp 


A: 


v[ last] -tamp 


kMp 


A: 


from[Qin]«a 


kMp 


A: 


upto [Qin] »la«t 


kMp 


A: 


from (Qin 1 • Uast+1) 


kMp 


A: 


up to [Qin]»b 


kMp 


A. 


j-o 


kMp 


i++ 


kMp 


n++ 


kMp 


!+♦ 


kMp 


la«t++ 


kMp 



The lookup tabic is used here mostly to restrict the maximum range of numbers and to convert the style of 
reading input and writing output Finally, the wrapper for the extracted model in this context can be 
defined as follows: 

chan qin * [6] of { int ) ; 

inline checkresul t ( ) { 

i - 0; 
do 

: : i < n-1 -> 

aa»ert(vti] <■ v[i+l]); 
i++ 

: else -> 
break 

od 

> 



init { 



byte i, n; 
if 

: n - 6 

: n - 5 

: n » 0 

: a - 1 
fi; 
do 

: : i < n -> i++; 
if 

: qin! 15 
: qin! 9 
: qin! 4 
: qin! 27 
: qin! 11 
fi; 

: else -> 
break 

od; 



/* own value for n */ 
/* odd value for n */ 
/* boundary case */ 
/* boundary case */ 



/* placed together to get a merge pair */ 

/* choose from n different or equal nra */ 
/♦we could also fill in the v[]'s directly */ 



-36- 
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skip; /* *yfitix r*quir«Mnt */ 
d_a>t«p ( 
♦includa "main . «pn" 

) 

> 




As noted, the objective of this exercise is not to verify the quicksort algorithm, but to demonstrate that 
model extraction from arbitrary ANSI C code is possible with the Ax model extraction tool. 



